CVE-2021-3036 PAN-OS: Administrator secrets are logged in web server logs when using the PAN-OS XML API incorrectly
Description
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly.
This vulnerability applies only to PAN-OS appliances that are configured to use the PAN-OS XML API and exists only when a client includes a duplicate API parameter in API requests.
Logged information includes the cleartext username, password, and API key of the administrator making the PAN-OS XML API request.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS 10.0 | < 10.0.1 | >= 10.0.1 |
| PAN-OS 9.1 | < 9.1.6 | >= 9.1.6 |
| PAN-OS 9.0 | < 9.0.12 | >= 9.0.12 |
| PAN-OS 8.1 | < 8.1.19 | >= 8.1.19 |
Required Configuration for Exposure
This vulnerability applies only to PAN-OS appliances that are configured to use the PAN-OS XML API.
Severity: MEDIUM
CVSSv3.1 Base Score: 4.4 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-532 Information Exposure Through Log Files
Solution
This issue is fixed in PAN-OS 8.1.19, PAN-OS 9.0.12, PAN-OS 9.1.6, PAN-OS 10.0.1, and all later PAN-OS versions.
After you upgrade the PAN-OS appliance, you must change the passwords and generate a new API key for all impacted PAN-OS administrators.
Workarounds and Mitigations
You must change the passwords and generate a new API key for all impacted PAN-OS administrators. Confirm that there aren’t any PAN-OS XML API requests that repeat API parameters in the request.